Enterprise threat detection (ETD) typically collects and stores a large amount of log data from various systems associated with an enterprise computing system to permit security of heterogeneous computing landscapes (for example, Big Data and other computing systems). The stored log data is normally purged on a periodic basis to conserve storage and computing resources. As a result, threats which can be found only in correlation with several events and in comparison with known past behavior are difficult to determine and to visualize once the collected log data is unavailable for further processing. The stored log data is usually analyzed using statistical analysis and forensic-type data analysis tools to identify suspicious behavior and to allow an appropriate response. Statistical analysis using standard normal deviation permits identification of anomalies in the log data, but not the building of individual evaluations/patterns or the reduction of anomaly alert/indication false positives. Enhanced ETD functionality with a more precise evaluation method is needed to detect anomalies and to support related ETD functions.